CN100524154C - A computer system including a bus bridge for connection to a security services processor - Google Patents
A computer system including a bus bridge for connection to a security services processor Download PDFInfo
- Publication number
- CN100524154C CN100524154C CNB2004800117221A CN200480011722A CN100524154C CN 100524154 C CN100524154 C CN 100524154C CN B2004800117221 A CNB2004800117221 A CN B2004800117221A CN 200480011722 A CN200480011722 A CN 200480011722A CN 100524154 C CN100524154 C CN 100524154C
- Authority
- CN
- China
- Prior art keywords
- affairs
- processor
- bus
- address
- initial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000002093 peripheral effect Effects 0.000 claims abstract description 44
- 230000004044 response Effects 0.000 claims abstract description 10
- 238000013519 translation Methods 0.000 claims description 16
- 238000009499 grossing Methods 0.000 claims description 12
- 230000004913 activation Effects 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 9
- 230000015654 memory Effects 0.000 description 91
- 230000005540 biological transmission Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 14
- 230000007246 mechanism Effects 0.000 description 14
- 239000000872 buffer Substances 0.000 description 12
- 230000005055 memory storage Effects 0.000 description 11
- 238000011144 upstream manufacturing Methods 0.000 description 9
- 238000001994 activation Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000000034 method Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 101100016034 Nicotiana tabacum APIC gene Proteins 0.000 description 6
- 101100221836 Arabidopsis thaliana CPL3 gene Proteins 0.000 description 5
- 101100065702 Arabidopsis thaliana ETC3 gene Proteins 0.000 description 5
- 230000001427 coherent effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000005314 correlation function Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 3
- 230000000712 assembly Effects 0.000 description 2
- 238000000429 assembly Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 238000012163 sequencing technique Methods 0.000 description 2
- 239000007858 starting material Substances 0.000 description 2
- QDZOEBFLNHCSSF-PFFBOGFISA-N (2S)-2-[[(2R)-2-[[(2S)-1-[(2S)-6-amino-2-[[(2S)-1-[(2R)-2-amino-5-carbamimidamidopentanoyl]pyrrolidine-2-carbonyl]amino]hexanoyl]pyrrolidine-2-carbonyl]amino]-3-(1H-indol-3-yl)propanoyl]amino]-N-[(2R)-1-[[(2S)-1-[[(2R)-1-[[(2S)-1-[[(2S)-1-amino-4-methyl-1-oxopentan-2-yl]amino]-4-methyl-1-oxopentan-2-yl]amino]-3-(1H-indol-3-yl)-1-oxopropan-2-yl]amino]-1-oxo-3-phenylpropan-2-yl]amino]-3-(1H-indol-3-yl)-1-oxopropan-2-yl]pentanediamide Chemical compound C([C@@H](C(=O)N[C@H](CC=1C2=CC=CC=C2NC=1)C(=O)N[C@@H](CC(C)C)C(=O)N[C@@H](CC(C)C)C(N)=O)NC(=O)[C@@H](CC=1C2=CC=CC=C2NC=1)NC(=O)[C@H](CCC(N)=O)NC(=O)[C@@H](CC=1C2=CC=CC=C2NC=1)NC(=O)[C@H]1N(CCC1)C(=O)[C@H](CCCCN)NC(=O)[C@H]1N(CCC1)C(=O)[C@H](N)CCCNC(N)=N)C1=CC=CC=C1 QDZOEBFLNHCSSF-PFFBOGFISA-N 0.000 description 1
- 101100221835 Arabidopsis thaliana CPL2 gene Proteins 0.000 description 1
- 101150093240 Brd2 gene Proteins 0.000 description 1
- 101150016835 CPL1 gene Proteins 0.000 description 1
- 102100024304 Protachykinin-1 Human genes 0.000 description 1
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 1
- 101100468774 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) RIM13 gene Proteins 0.000 description 1
- 101800003906 Substance P Proteins 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 238000010924 continuous production Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009257 reactivity Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
Abstract
A computer system (10, 20) including a bus bridge (121, 221, 321) for bridging transactions between a secure execution mode-capable processor (100A-B) and a security services processor (130). The bus bridge may include a transaction source detector (450), a configuration header (415) and control logic (416). The transaction source detector may receive a security initialization transaction performed as a result of execution of a security initialization instruction. Further, the transaction source detector may determine whether the secure execution mode-capable processor is a source of the security initialization transaction. The configuration header may provide storage of information associated with the security services processor. The control logic may determine whether the security services processor is coupled to the bus bridge via a non-enumerable, peripheral bus (135, 335). The control logic may also cause the configuration header to be accessible during a boot-up sequence in response to determining that the security services processor is coupled to the non-enumerable, peripheral bus.
Description
Technical field
The present invention system in detail, is a computer system of protecting the data that are stored in the computer system memory to avoid the believable execution pattern of unauthorized access about using about computer system.
Background technology
United States Patent (USP) the 6th, 092, the System and method for of No. 202 announcement security affairs, wherein the common processor interface of safety is to the main calculator system.Security affairs are handled and are carried out for handling general ability portion jointly in safety, and the processing of non-security affairs is carried out in the main calculator system.The second contact surface that is coupled to the common processor of safety receives sensitive data from smart card.Because the common processor of safety has a function, the required built-in function of smart card is only for storage comprises the sensitive data of account number and private key, and the electronic signature of witnessing and participating in.Because have less built-in function, the complexity of smart card can be lower and more cheap.
United States Patent (USP) the 6th, 003, disclose the modular device of linking up No. 135 with the main calculator device, make one or more safe operations to carry out according to the data that are stored in the main calculator device by modular device, data are provided to the film block assembly by the main calculator device, or data are captured from modular device by the main calculator device.Modular device can comprise the security module that is suitable for carrying out data one or more safe operations.
Modern computer system is just changing human life style.This feels vivid especially for the system platform that comprises the microprocessor that uses the x86 system architecture.X86 can install the open by design of third part peripheral unit and application program for the system on basis to a large amount of owners, has caused vast promote competition, innovate and develop the market that hardware and software sells.An example of this kind development be now widely used similarly be digital communication and the medium system platform of always promoting quality and ability.These system platforms match with world-wide web, a large amount of digital contents that distribute of development clearly, make can visit to newspaper, from the real-time meteorological condition and the wireless station's report that come all over the world with choosing (on-demand), line goes to bank and do shopping and sound is basic amusement with video signal.
Because the x86 platform is an open architecture, therefore each device generally has provides the driver (drivers) that sells to operate on kernel normal form, so that access means, and some application program can comprise the kernel normal form assembly.Therefore, though open architecture can have advantage and disturb the protection that certain degree still can be provided for the accident of an application program and Another Application program, perhaps the protection mechanism of existing framework is exposed in this environment that must not operate.
The computer system that comprises the microprocessor that uses the x86 framework comprises the characteristic that design avoids application program each other to disturb with protective device.For example, x86 for the operating system on basis by feat of two characteristics: the environment that x86 protected mode framework provides each application program to be isolated from each other; With important operation system-program code and data and 1) paging virtual memory and 2) application program of carrying out franchise level (privilege level) isolates.
The paging virtual memory allows operating system (OS) that each application process is defined the virtual address space that separates and selectively the individual page of actual memory gone into (map) respectively this virtual address space through one group address translation Table Image.This will provide each application program that its private section that oneself is used for the actual memory of program code (code) and data (private section) is arranged, and this program code and data can not be visited the application program to other.Virtual memory mechanism also can allow operating system optionally each page reflection of actual memory to be gone into a plurality of virtual address spaces, and these pages or leaves that optionally are specified in the imaginary space are for read-only (read-only).This shares writes the ability of reflecting and also can allow replicate run system nuclear (OS Kernel) itself to reside in the address space of each application program, with can similarly allow to share the peripheral unit access port and writing of relevant apparatus driver routine reflected, therefore effective the visit to the application program of operating system service be provided, and do not need expensive address space exchange.But the operating system of address space part must comprise that system data region that the operating system program code must be able to be revised and this system data region must be still protected and not influenced by application code.Read-only indication can not provide the suitable protection to these zones.
The x86 framework also defines 4 franchise levels, and 0 to 3, these levels are assigned to each zone of program code by operating system, and remain in the program code segment descriptor (descriptor).Generally speaking, now will be stored as the franchise level of existing usefulness (Current Privilege Level is called for short CPL) with the franchise level of executive routine code or program.Therefore, that the common title of franchise level is CPL0 to CPL3.Use these franchise levels, some system resource is for only addressable to the program code that is executed in suitable level.The paging virtual memory architecture can allow to visit to will be by each page of the virtual memory that franchise level limited.Though defined 4 franchise levels, only there are CPLO and CPL3 level generally to be used, because the paging virtual memory architecture is not from CPLO difference CPL1 or CPL2 by mainstream operation system.CPLO is common, and that claim be kernel normal form (Kernel mode), and is highly privileged level, and CPL3 system jointly title be user model (User mode), and be lowest hierarchical level.Operating system program code and data refer generally to be decided to be CPLO, and application code and data are appointed as CPL3.CPLO carries out privilege and does not cancel (override) read protection; These two attributes are for independently.The program code segment descriptor is used to refer to fixed these levels.
Except this memory protect, all processor control registers comprise those control virtual memorys operations, are only in CPL0 and addressable by the definition of framework.In addition, special control transfer instruction system is general require to be used for exchange carry out from one section to another section, and therefore exchange franchise level.These instructions make operating system limit targets that these controls shift specific inlet point (entry point) to the program code of control operation system, therefore control are not being given under the operating system simultaneously, and application program can't change franchise level.
Can be by the content of virtual memory address translation table, and control fully from address space each other with from the isolation of the operating system memory of application program.Virtual the writing to actual page of the internal memory of an application program of translation table definition isolation and the internal memory of Another application program reflected, also read-only the and franchise level attributes of definition protection shared library (library) and operating system.The basis of each table is as the resident data structure of internal memory and comprise the translation login, and these translation logins are gone into shared operating system memory zone with these Table Images, and limit them and visit to the kernel normal form program code.
The protection mechanism that exists will seem application programs and operating system provides suitable protection.In well behaved system, they (for example have these functions, these machine-processed correct application programs by operating system, with the correct operation of these machine-processed operating system program codes of control, and all other the program code that operates on kernel normal form does not disturb this system-program code).Yet, the kernel normal form program code that typically comprises so big quantity based on the system of x86, they will not only can buy from the operating system vendor, and can obtain from many independent sources, perhaps this kind situation can not guarantee whether this kind interference can unexpectedly take place or not take place to any one system.
Carrying out the pattern of operation and just operating the pattern of software application according to the user, be stored in the computer system or the information on the computer system of operating on is vulnerable to the infringement of external reference.Therefore, hope can improve security and make the x86 architecture system more not be subjected to the infringement of this kind visit by this.
Summary of the invention
The present invention discloses the various embodiment of computer system, and this computer system comprises the bus bridge that is used for being connected to security services processor.In an embodiment, be used for the bus bridge that bridge joint has affairs (transaction) between if secure execution ability processor (secure execution mode-capable processor) and security services processor (security service processor) and comprise affairs source detecting device, configuration header and steering logic.Affairs source detecting device can receive enforcement as the initial affairs of the safety of the execution result of safe initial order (securityinitialization transaction).Moreover whether configurable affairs source detecting device has if secure execution ability processor with judgement serves as the source of the initial affairs of safety.Configuration header can provide the storage with the security services processor relevant information.Steering logic can be couple to configuration header and configurable whether judging security services processor by non-isarithmic peripheral bus, and is couple to bus bridge.
In a specific enforcement, configurable steering logic is addressable to be couple to the requirement of non-isarithmic peripheral bus and to make this configuration header in response to judgement security services processor system during activation sequence.
In another was implemented, non-isarithmic peripheral bus was complied with bus for low pin counting (low pincount, LPC).
In another is implemented, be used for the bus bridge that bridge joint has affairs between if secure execution ability processor and security services processor and comprise affairs source detecting device, basic address hiding register (base address shadow register) and steering logic.Configurable affairs source detecting device is to receive the initial affairs of implementing as the execution result of safe initial order of safety.Moreover whether configurable affairs source detecting device has if secure execution ability processor with judgement serves as the source of the initial affairs of safety.Configurable basic address hiding register is to provide the storage of the count information relevant with security services processor.Configurable steering logic is to be couple to basic address hiding register and also configurablely to comprise affairs at the count information of security services processor with intercepting.Steering logic also can cause the counting affairs at basic address hiding register.
In a specific enforcement, parallel multitask address and data peripheral bus are that the interconnected machine of perimeter component (peripheral component interconnect, PCI) is complied with bus.
Description of drawings
Fig. 1 is operation domain that shows an embodiment with if secure execution ability processor and the synoptic diagram that operates in the behavior of program code in these territories;
Fig. 2 is the calcspar of an embodiment of the computer system of use trust computing platform;
Fig. 3 is the calcspar of another embodiment of the computer system of use trust computing platform;
Fig. 4 is the calcspar of an embodiment of I/O (I/O) boundary element that is used for connecting security services processor;
Fig. 5 is the calcspar of another embodiment that is used for connecting the I/O boundary element of security services processor;
Fig. 6 formats in HyperTransport for describing
TMThe synoptic diagram of the Hash_Start packet embodiment in the agreement;
Fig. 7 formats in HyperTransport for describing
TMThe synoptic diagram of the Hash_End packet embodiment in the agreement;
Fig. 8 formats in HyperTransport for describing
TMThe synoptic diagram of the Hash_Data packet embodiment in the agreement.
Embodiment
Though the present invention can make various modifications and alternative form easily, be by the demonstration of the example in graphic and describe specific embodiment of the present invention in detail at this.Yet, answering Liao to separate the graphic and detailed description of specific embodiment does not herein desire as limiting the invention to the particular form that is disclosed, otherwise the present invention will be contained all and fall within as modification, equivalence and replacement in the spirit and scope of the present invention that defined in the appended claim.
Safe computing platform general introduction
The calculating of being trusted makes computer system (for example, personal computer (PC)) user can participate in new activity, for example downloads electronic cash and film, and protects their privacy to avoid infringement simultaneously.Desire to become the part of the computing environment of being trusted, for example personal computer itself must be subjected to the user and for example bank and content provider's external entity trust.The necessary important elements of the personal computer that foundation is trusted comprises: the processing environment of being trusted, platform identity secret, encryption (cryptographic processing), safe storage and the secure operating system program code segments for safety kernel (Security Kernel, abbreviation SK) that claims.Below will be described in more detail the calcspar of setting up of carrying out these key elements.
The processor that is configured to carry out the x86 instruction generally includes for example architectural features of protected mode and this group control register of these features of control, and wherein this protected mode provides paging virtual memory and privileged execution mode.Control access to that these control registers and page table can provide extra protection in order to avoid program code in the computer system and data are carried out unwarranted visit.Therefore, one group framework expansion is increased to these processors and corresponding software support, this kind protection can be provided.Be if secure execution (Secure Execution Mode is called for short SEM) to what the comprehensive security enhancing of processor can claim.If secure execution (SEM) is a kind of new work pattern that increases to processor, and this pattern has been set up the execution environment of being trusted, wherein safe nuclear energy running and be not subjected to extraneous interference.
Therefore, the processor that can operate in SEM can comprise secure hardware (not icon), and for example, this secure hardware provides support such as is subjected to trust to carry out the SEM operator scheme of (trustedexecution is called for short TX) pattern operation when by the activation of SEM institute.Below will illustrate further, and depend on and just carry out the sort of software and its franchise level, and be trusted execution pattern and comprise the processor that except normal user mode and normal kernel normal form, also can operate in the tool SEM ability of secured user's pattern and safety kernel pattern.Also can provide each mechanism can be by operating on that software in this environment is visited and from the shielded memory field of hardware internal storage access (for example, direct memory access (direct memoryaccess, DMA)) only to set up.
New be subjected to trust carry out (Trusted Execution environment, TX) environment and be similar to traditional normal/protected mode (ring-type 3/ ring-type 0 (Ring3/Ring0)) mechanism that is used for separate users and nuclear environment a little.Will be in hereinafter cooperating Fig. 1 to be described in more detail, user/kernel normal form with trusted/non-ly trusted combining of pattern and created the four-quadrant model.Therefore, the CPU (central processing unit) of tool SEM ability (CPU) comprises the hardware mechanism of setting up and executing the TX pattern.
Now with reference to Fig. 1, show the operation domain of an embodiment of processor and the behavior of program code operation in these territories with if secure execution ability.As mentioned above; now be the operating system on basis in order to x86; four available franchise level two (for example, CPLO and CPL3) wherein are to carry out two patterns in normal execution pattern or the protected field in general use: normal kernel normal form (Nonnal Kernel Mode) and normal user mode (Normal User Mode).When making that when can carry out SEM, if secure execution strengthens the new execution pattern of definition, this new execution pattern claim for being subjected to trust execution (TX) pattern.When in conjunction with existing normal execution pattern protected field, the TX pattern is set up four diacritic patterns or software operation territory, and is as described below.In illustrated embodiment, these four territories are normal users (normal user, NU) territory 1010, normal nuclear (normal kernel, NK) territory 1020, secured user (secure user, SU) territory 1030 and safety kernel (secure kernel, SK) territory 1040.
NU territory 1010 is characterised in that processor operates on normal user mode (that is, CPL=3) and is not to trust (TX) pattern of execution.In NU territory 1010, general virtual memory is set the application program normal running that allows unmodified.Yet under SEM, these application programs prevent to reside in the application access internal memory in the SU territory 1030, or prevent to visit the internal memory that is contained in safety kernel 1021 in the SK territory 1040.Moreover these application programs for example prevent to visit the internal memory or the device driver of the operating system nuclear 1023 in normal nuclear territory 1020 by the protection logic mechanism of for example existence of U/S and R/W page or leaf (not icon) attribute.
In NK territory 1020, SEM allows the operating system of unmodified to examine 1023 assemblies and the normal running of kernel normal form device driver.Program code in this territory is carried out addressable target (object) in NU territory 1010, but anti-terminate in SEM down the visit target in SU territory 1030 or SK territory 1040.Moreover the feature in NK territory 1020 can be that processor operates on normal kernel normal form (that is, CPL=0) and do not operate on the TX pattern.When paging activation during in NK territory 1020, processor can claim sometimes for operating in local kernel normal form.
In SU territory 1030, SEM can allow for example to operate for example new application software of high-security applications program (highsecurity application, HSA) 1.Can write film projector system and prevent that HSA softward interview target is in any other territory by the x86 guard-page protection that exists and page or leaf.In addition, can protect HSA to avoid comprising the program code of operating system nuclear 1023 and device driver (showing among Fig. 2) and unauthorized access by any NU of being executed in territory 1010 and NK territory 1020.Below will be described in more detail, safety kernel 1021 can be responsible for setting and keeping the virtual address space of HSA.Moreover the feature in SU territory 1030 can be that processor operates on user model (that is, CPL=3) but also operates on the TX pattern, and this also can claim is secured user's pattern.
In SK territory 1040, SEM can allow safety kernel 1021 visit to all platform resources fully and can give in addition these resources exclusive be controlled to safety kernel 1021.The feature in SK territory 1040 can be that processor operates on kernel normal form (that is, CPL=0) and also in the TX pattern, and this also can claim is the safety kernel pattern.
Generally speaking, safety kernel 1021 is a software, operates on to be subjected to trust (TX) pattern of execution.In an embodiment, safety kernel 1021 can be to operate on only software in the SK territory 1040.In SK territory 1040, safety kernel 1021 may command all virtual to actual memory write reflect and the may command actual memory which the zone addressable to external device (ED).Yet function is set up in the processing of the believable operating systems nuclear of safety kernel 1021, comprise the normal mode virtual memory write reflect, initial the writing of HSA internal memory reflect and the loading of HSA program code and data segment.Yet safety kernel 1021 can monitor that each this kind is write and reflect to guarantee that not trusted internal memory videos without permission into the imaginary space of not trusted.Therefore, safety kernel 1021 can think that all region of memorys of being trusted are not for being subjected to the relier.Moreover safety kernel 1021 can be thought and not be subjected to all operation procedure codes that safety kernel 1021 controlled for not being subjected to the relier.It should be noted that in an embodiment safety kernel 1021 can be the independently program code segments that can fill up in existing operating system.In an alternate embodiment, safety kernel 1021 can be module or the program code segments in the set operating system of part.
The major function of SEM comprises initial environment of being trusted, and the environment that the authenticity of checking SK and protection are trusted avoids being subjected to outside destruction.It should be noted that each speech of CPU, microprocessor and processor is used interchangeably.
The if secure execution Initiation
The center that PC is trusted in foundation is the secret exclusive, that platform is specific.On practice, this secret can be open/dedicated encrypted key to special-purpose half wherein.This secret must be only when PC is just operating in the environment of being trusted and use, and this secret must not leak into anyone-or any program code.Can disclose the result who uses this secret cryptographic operation, but be not secret itself.For this work, employed secret and encryption processing mechanism must be present in the enclosure of the input and output with control.On the vocabulary of reality, enclosure is referenced as single integrated circuit (IC) packaging part that combines processing power and the electrical storage of Fei Yi.What this device claimed is security services processor (Security Services Processor is called for short SSP).In an embodiment, need at least one SSP, and just what a SSP participates in the platform initiated process.
On framework, SSP can be positioned at platform Anywhere.Unique requirement is that non-counterfeit (non-spoofable) and secure communication path are present between tool SEM ability processor and the SSP.Family as used herein, the non-counterfeit communication path between tool SEM ability processor and SSP is referenced as secure communication path, and wherein SSP does not receive order that comes from the performed software in the outside that is subjected to trusted environment or the order that comes from DMA hardware.This is perhaps complicated especially when the environment of being trusted is initial.Herein, SSP must verify the validity of SK and determine that effective SK is in fact in the program code of this moment running on tool SEM ability processor.This validity is taked mixed and disorderly (cryptographic hash) form of the encryption of SK image.This in a jumble must be not operating the mode that obtains and be sent to SSP from normal software.Moreover tool SEM ability processor must begin to carry out SK (and SSP must know this situation) from the initial state of removing.Can be by using CPU microcode (microcode) and can't meeting the requirements by the hardware mechanism of normal software acquisition.In detail, what claim be that the new safe initial order system of safety kernel initial (SecurityKernelInitialization is called for short SKINIT) is used for: initial tool SEM ability processor, verify that other processor in the MP system stops, using the system address of reservation to communicate by letter with SSP and jump over and enters in the SK program code.It should be noted that in an embodiment, initiated process comprises two steps: make little safe loader (Secure Loader is called for short SL) by SSP effectively, then make big a lot of SK effective.
The computer system of computing platform is trusted in use
Now with reference to Fig. 2, show the calcspar of an embodiment who uses the computer system of being trusted computing platform.Computer system 10 comprises two tool SEM ability processors, is denoted as SEM processor 100A and SEM processor 100B.SEM processor 100A is coupled to SEM processor 100B by processor bus 105.Computer system 10 also comprises Installed System Memory 110A that is coupled to SEM processor 100A and the Installed System Memory 110B that is coupled to SEM processor 100B.SEM processor 100A is coupled to I/O (I/O) interface 120 by system bus 125.I/O interface 120 is coupled to memory storage 140 by peripheral bus 145 and to peripheral unit 150.I/O interface 120 further is coupled to SSP 130 by peripheral bus 135.In an alternate embodiment, alternative peripheral bus 135, SSP 130 can be shown in dotted line is coupled to peripheral bus 145.Though it should be noted that to have shown two SEM processors, in other embodiment, can comprise the SEM processor of other number.Also it should be noted that assembly with same components symbol and letter, can be only by independent digital institute reference.For example, SEM processor 100A can only be referenced as SEM processor 100 in suitable ground.
In shown embodiment, SEM processor 100A and SEM processor 100B respectively comprise the Memory Controller Hub (not icon) of integration, are used for distinguishing connected system internal memory 110A and Installed System Memory 110B.It should be noted that in alternate embodiment I/O interface 120 can comprise one or more Memory Controller Hub and main bridge.In these embodiment, Installed System Memory 110 can be connected to I/O interface 120.
SEM processor 100 illustrations are used the processor of x86 framework.For example, in an embodiment, SEM processor 100 can be the Athlon that is produced by senior microdevice company (Advanced MicroDevice, Inc.)
TM(trade mark) processor.When situation like this, SEM processor 100 is configured to carry out the x86 instruction, and this instruction can be stored in Installed System Memory 110 or the memory storage 140.In illustrated embodiment, SEM processor 100 for example can comprise security hardware (not icon), this security hardware for example provides for example above-mentioned support that is subjected to trust to carry out the SEM operator scheme of (TX) pattern described in conjunction with Figure 1 when by the activation of SEM institute.
Installed System Memory 110 is configured to stored program instruction and often by SEM processor 100 employed data.In the configuration of exemplary systems, can use memory storage 140 so that stored program instruction and data more muchly, and when SEM processor 100 needed data and program code, this programmed instruction and data were transferred to Installed System Memory 110.Extra support to the SEM operator scheme can be provided by safety kernel, combine with operating system outside the Installed System Memory 110 in the operating period of SEM processor 100 and then can carry out this safety kernel.In addition, Installed System Memory 110 can be divided into and be subjected to trust part and do not trusted part.Safety kernel resides in the part of being trusted of Installed System Memory 110.As mentioned above, Installed System Memory 110 generally uses the paging virtual memorys and visits.In this kind configuration, can be by individual other paging or memory block and access system internal memory 110.This two-page separation function is generally controlled by operating system memory management functions.
In an embodiment, for example can use to be performed in dynamic random access memory (DRAM) technology or, and implement Installed System Memory 110 in one of them a plurality of memory chips of the DRAM technique variation of obtainable such as synchronous dram (S DRAM).Dram chip generally is installed on the little circuit board with the edge connector that is inserted into socket connector on the motherboard.Depend on the configuration of circuit board, what they can claim is single-row or dual inline type (dual in-1ine) memory modules (for example, being respectively SIMMs or DIMMs).Installed System Memory 110 can comprise many group memory modules, and these many group memory modules can allow memory expansion.
As mentioned above, memory storage 140 program storage pattern or data.In an embodiment, memory storage 140 for example can be a Winchester disk drive or a group hard disc machine, though in other embodiment, can consider to comprise other jumbo memory storage, such as cd-ROM (CD-ROM drives), floppy drive and tape drive.
Configurable I/O interface 120 is with in the normal system operation of total line traffic control and translation provide during to(for) the affairs between different peripheral buses and SEM processor 100A and 100B.In an embodiment, I/O interface 120 comprises can implement the bus bridge 121 that is associated with the north bridge function.For example, peripheral bus 145 can be peripheral assembly interconnect (PCI) bus, but peripheral bus 135 can be low pin count (LPC) bus.In addition, configurable bus bridge 121 is to provide security mechanism (not showing among Fig. 2), and this security mechanism can make non-counterfeit communication takes place between SEM processor 100 and SSP 130 during safety is initial.For example, configurable bridge 121 is to judge whether SSP is connected to this bridge 121 or is connected to that bus.As following illustrating further, depend on the pattern of bus, configurable bus bridge 121 for example will be translated into the form that is fit to carry on peripheral bus 135 from the safe initial order that SEM processor 100A on the system bus 125 is received to implement various security correlation functions.For example, configurable bus bridge 121 to be confirming safety kernel initial order (SKINIT) relevant information, and shifts these information to SSP 130 with the specific format of peripheral bus 135.Moreover for example configurable bus bridge 121 is to stop point-to-point the flow (peer-to-peer traffic) to SSP 130 by the mechanism of address smoothing device for example.Also configurable bus bridge 121 enters the internal memory that writing of SSP 130 reflected I/O to carry out access window in SKINIT operating period.
Generally speaking, safety kernel initial order (SKINIT) for example is executed in tool SEM ability processor, such as SEM processor 100A and SEM processor 100B.In an embodiment, the SKINIT instruction comprises three execute phases: initial (Initialization), data shift (Data Transfer) and jump over (Jump).
During initial period, resettable SEM processor 100A state and any microcode of removing insert sign indicating number (patch).In addition, in an embodiment, no matter that whether integrate or from the outside to each Memory Controller Hub of SEM processor 100, can comprise being configured in response to removing in the requirement of reseting in the logic (not icon) of the actual content of the memory chip of Installed System Memory 110, be to be associated with to suspend to random-access memory unless this is reseted.Moreover, but among the SL image loading system internal memory 110A, and, protect this SL image preventing DMA visit to blocking in the resident actual memory of SL image before the 64 kilobyte continuous spaces.The basic address in this 64 kilobyte space is the parameter of SKINIT instruction.Begin affairs in a jumble and carry the part of this basic address as its address field.In this mode, all receive the Memory Controller Hub that begins affairs in a jumble and accept notice to learn claimed region of memory.
During the data transfer step, microcode can be carried out in a jumble and begin (Hash_Start), hash (Hash_Data) and mixed and disorderly termination (Hash_End) order.In an embodiment, the Hash_Start affairs can be that all that be sent between SEM processor 100A and SSP130 are disturbed the broadcast transaction of link and bus.In illustrated embodiment, Hash_Start can be sent on processor bus 105, system bus 125 and the peripheral bus 135.In the environment of multi-processor (multiprocessor), SEM processor 100A waits the next reaction from SEM processor 100B.SEM processor 100B can react on one of them information with mode bit indication " effect of APIC initial modes (APIC Init Mode is Active) " or " the APIC initial modes does not act on (APIC Init Mode is Inactive) ".If SEM processor 100B does not react on " effect of APIC initial modes ", then SEM processor 100A can finish Hash_Start, and then carries out Hash_End, jumps over this Hash Data order thus.Suppose that SEM processor 100B reacts on " effect of APIC initial modes ", then send Hash Data order to the SSP130 that is followed by this Hash Data order.Be associated with each SEM processor 100A and 100B main bridge/Memory Controller Hub (not icon) but the isolated protection of unblank internal memory, I/O and DMA.
In case the Hash_Start affairs are delivered to after the SSP130, microcode can be implemented the Hash_Data affairs.The Hash_Data affairs obtain SL program code image from Installed System Memory 110A, and this SL program code image is crossed system bus 125 and delivers to I/O interface 120.
In case Hash_Data affairs and its corresponding data are delivered to after the SSP130, microcode can be implemented the Hash_End affairs.The Hash_End affairs can be sent as broadcast transaction in all interference links and bus between SEM processor 100A and SSP130.
I/O interface 120 receives the SL image, and this SL image is by Hash_Start/End information institute boundary.Ignore the affairs that outside Start/End scope district (window), received.Data are delivered to SSP130.Configurable bus bridge 121 is to prevent that any other affairs are to SSP 130 address realms that are associated with the SKINIT affairs between Hash_Start and Hash_End.
During the stage of jumping over, the SKINIT instruction is finished and is jumped to SL.
In an embodiment, when SSP130 receives the data payload (payload) (that is, SL image) of Hash_Data affairs and Hash_End affairs, it is mixed and disorderly that then SSP 130 carries out the encryption of images, and with storage inside value comparative result.If be complementary, then SSP 130 can make the SL image for effective.
It should be noted that SSP 130 is coupled to peripheral bus 145 in each embodiment, configurable bus bridge 121 is relevant to the translation and the safety related functions of this peripheral bus 145 with execution.
Now with reference to Fig. 3, show the calcspar of another embodiment that uses the computer system of trusting computing platform.For simple and purpose clearly,, be to be marked with identical element numbers corresponding to the assembly shown in Fig. 2.Computer system 20 comprises the processor of two tool SEM abilities, is denoted as SEM processor 100A and SEM processor 100B.SEM processor 100A system is coupled to SEM processor 100B by the relevant link that can form the high speed point-to-point link (coherent link) 205.Computer system 20 also comprises the Installed System Memory 110A that is coupled to SEM processor 100A and is coupled to the Installed System Memory 110B of SEM processor 100B.SEM processor 100A is coupled to I/O interface 220 by irrelevant I/O link 225.Irrelevant I/O link 225 also can be the high speed point-to-point link.I/O interface 220 is to be coupled to memory storage 140 and to be coupled to peripheral unit 150 by peripheral bus 145.I/O interface 220 further is coupled to SSP 130 by peripheral bus 135.In alternate embodiment, substitute peripheral bus 135, SSP130 can be coupled to peripheral bus 145, and is indicated as dotted line.Though it should be noted that known two the SEM processors that have, in other embodiment, can comprise the SEM processor of other number.
In illustrated embodiment, SEM processor 100A and SEM processor 100B respectively comprise the Memory Controller Hub (not icon) of integration, are used for being connected to respectively Installed System Memory 110A and Installed System Memory 110B.In addition, SEM processor 100A comprises the main bridge logic (not icon) of integration, be connected to irrelevant I/O link 225 and according to relevant link 205 between SEM processor 100A and SEM processor 100B transmission information.Even so, but it should be noted that among other embodiment, can consider to make main bridge to be bridge independently (that is, north bridge), or the bridge of combination.
In illustrated embodiment, relevant link 205 and irrelevant (non-coherent) I/O link 225 are the unidirectional conductor of each enforcement as one group.Each lead of set group can be in the different directions transmission transaction.Relevant link 205 can be operated according to getting relevant mode soon, to communicate with between SEM processor 100A and 100B.In addition, irrelevant link 205 can be got relevant mode soon and operates according to non-, to communicate with I/O interface 225 and for example between the main bridge of the main bridge of SEM processor 100A.Two or more devices by the interconnected machine of relevant link can claim for " coherent structure " (fabric).Similarly, two or more devices are " irrelevant structure " by what the interconnected machine of irrelevant link can claim.Should be noted that among the embodiment, irrelevant I/O link 225 can with HyperTransport
TM(trade mark) technical compatibility.
Generally speaking, packet is communicating by letter between two nodes or device (sending the start node and the destination node that receives packet of packet).Start node and destination node can with affairs come source node or destination node different, packet is the part of these affairs, or start node and destination node wherein one can come source node or are destination node.The control data bag is the packet that carries about the control information of affairs.Some control data bag is specific to have data packet following.This data packet carries corresponding to affairs with corresponding to the data of specific control data bag.In an embodiment, the control data bag can comprise command packet, information packet and response data bag.It should be noted that in other embodiment, consider that the control data bag comprises the packet of other pattern.
When packet chains upstream or transmit in the downstream irrelevant, or when transmitting between the relevant relevant nodes that chains, packet can pass through one or more nodes.Data packet flow and " downstream (downstream) " that " upstream (upstream) " as used herein refers to flow to from I/O interface 220 the main bridge direction of SEM processor 100A refer to from SEM processor 100A away from the data packet flow that flows to main bridge I/O interface 220 directions.
Similar in appearance to the explanation of Fig. 2, SEM processor 100 illustrations of Fig. 3 are used the processor of x86 framework.When mode like this, configuration SEM processor 100 is to carry out the x86 instruction, and this instruction can be stored in the Installed System Memory 110 or be stored in the memory storage 140.In illustrated embodiment, SEM processor 100 can comprise security hardware (not icon).For example when by the activation of SEM institute, this secure hardware provides support for example SEM operator scheme that is subjected to trust (TX) pattern of execution of aforesaid operations.
To use HyperTransport in hereinafter being described in more detail
TM(trade mark) technology is implemented non-counterfeit secure communication path, and also configurable main bridge is to carry out the security correlation function.For example, the main bridge of SEM processor 100A can be carried out isolated, the SKINIT relevant information support of input/output space, and has and confirm whether SSP 130 resides in the information of its downstream bus.Input/output space is isolated to refer to intercept any affairs to the input/output space that arrives from downstream bus.For example, the upstream affairs do not allow to cross bridge to the upstream bus, or do not allow reflection to get back to downstream bus downwards.In addition, any upstream is visited to HyperTransport
TM40 configuration address scope districts (FD_FE00_0000h-FD_FFFF_FFFFh) can be intercepted by main bridge.In an embodiment, these visits can wherein one be stopped with Target Abort or MasterAbort.
As the explanation that Fig. 2 in above-mentioned combination, the main bridge in SEM processor 100A is configurable with transmission Hash_Start, Hash Data and Hash_End affairs.In an embodiment, Hash_Start and Hash_End information are broadcast data packet, and the Hash_Data affairs comprise that nonstandard bright size writes request data package (non-posted Sized Write request packets), are following the data packet that includes data payload thereafter.Below the 6th to Fig. 8 explanation example Hash_Start, Hash_Data and Has h_End HyperTransport are discussed
TM(trade mark) packet.40 bit address that are used for these affairs are described in detail as follows.In an embodiment, be HyperTransport with SEM processor 100A
TMThe reactivity of main bridge, guarantee to the affairs of these addresses only from SEM processor 100A as local SKINIT instruction.It should be noted that this place is used in the initial following address realm of safety and means and decide reservation (Reserved) in HyperTransport
TMIn the specification:
FD_F920_0000h-FD_F923_FFFFh?Has?h_Start
FD_F924_0000h-FD_F927_FFFFh keeps
FD_F928_0000h-FD_F928_0003h?Hash_End
FD_F928_0004h-FD_F928_0007h?Hash_Data
FD_F928_0008h-FD_F92F_FFFFh keeps
Installed System Memory 110 with as the Installed System Memory 110 of above-mentioned description in conjunction with Fig. 2 operate in the identical mode of essence.For example, also the Installed System Memory 110 of arrangement plan 3 with the storage time and again by SEM processor 100 employed programmed instruction and data.Can be by the performed safety kernel of operating system outside the operating period of SEM processor 100 coupling system internal memory 110, and extra support to the SEM operator scheme is provided.In addition, as mentioned above, Installed System Memory 110 may be partitioned into and is subjected to trust part and do not trusted part.Safety kernel resides in the part of being trusted of Installed System Memory 110.As mentioned above, Installed System Memory 110 generally uses the paging virtual memorys and visits.In this kind configuration, Installed System Memory 110 can be by individual other page or leaf or memory block and visiting.This two-page separation function is generally controlled by operating system memory management functions.
As mentioned above, memory storage 140 program storage code and data.Though in other embodiment, can consider to comprise other jumbo memory storage, such as cd-ROM, floppy drive and tape drive, in an embodiment, memory storage 140 also for example can be a Winchester disk drive or a group hard disc machine.
In illustrated embodiment, I/O interface 220 comprises bus bridge 221, and this bus bridge 221 can comprise that hardware (not showing) is configured to bridge joint and depends on NC I/O link 225 and the irrelevant HyperTransport of transmission in the 3rd figure
TMAffairs and all depend on peripheral bus 135 and the transmission bus transaction and depend on peripheral bus 145 and the transmission bus transaction.In an embodiment, peripheral bus 135 is low pin count (LPC) bus.In addition, peripheral bus 145 can be the interconnected machine bus of perimeter component.In embodiment like this, bus bridge 221 is configurable to depend on NC I/O link 225 and irrelevant (non-coherent) HyperTransport of transmission with bridge joint
TMAffairs and all depend on lpc bus 135 and the transmission the lpc bus affairs and depend on pci bus 145 and the transmission bus transaction.It should be noted that in an embodiment lpc bus can the isarithmic universal serial bus of right and wrong, this universal serial bus can use four leads to transmit control, address and data message between main frame and peripheral unit.The information of being linked up is: beginning (start), stop (stop) (end circulation), shift pattern (internal memory, I/O, DMA), shift direction (read/write), address, data, waiting status, dma channel and bus master and agree.For more information about lpc bus, can be with reference to by Intel
The low pin count interface specification revision that (registered trademark) provides 1.1 editions.In addition, the PLC bus generally be characterized as side by side, multitask address and data bus.Moreover, for more information about pci bus, can be with reference to the PCI zone bus specification revision that is provided by the special cause body of PCI (PCI Special Interest Group) 2.2 editions.
Configuration I/O interface 220 is to provide the total line traffic control and the translation of the affairs between different peripheral buses during the normal system operation.In addition, bus bridge 221 can comprise the security mechanism that non-counterfeit communication takes place during allowing safety initial between SEM processor 100 and SSP 130.For example, whether configurable bus bridge 221 has SSP to be connected on it with judgement and this bus bridge 221 is connected to that bus.Moreover in conjunction with the detailed description of the description of the 4th and 5 figure, configurable bus bridge 221 is to implement various security correlation functions, the initial affairs of for example translation safety as hereinafter.For example, configurable bus bridge 221 is to be identified in the SKINIT information that is received in the NC I/O link 225, and when needs, depend on the address of SSP 130, in being suitable for the form that is transmitted in lpc bus 135 or pci bus 145, shift these information to SSP 130.Moreover configurable bus bridge 221 is to intercept point-to-point flow (peer-to-peer traffic) to SSP130.Also configurable bus bridge 221 enters the internal memory that writing of SSP 130 reflected I/O to carry out the access profile district in SKINIT operating period.
As being described in more detail of following description in conjunction with the 4th and 5 figure, bus bridge 221 can comprise that the logic (showing among Fig. 3) of configuration is to stop the relevant HyperTransportt of SKINIT
TMInformation, and depend on the position of SSP 130 and in correct form when needing is via lpc bus 135 or pci bus 145 and transmit these information to SSP 130.Moreover bus bridge 221 can comprise that the logic (not showing among Fig. 3) of configuration is to represent HyperTransport
TMTo the SSP current control.For example, bus bridge 221 can absorb and arrive in supporting HyperTransport
TMThe continuous process of the Hash_Data affairs of data transfer rate, or exercise in the flow process of upstream NC I/O link 225 and control.
Then shown the calcspar of an embodiment of the bus bridge of Fig. 3 with reference to Fig. 4.For purpose clear and that simplify, be marked with identical element numbers corresponding to each the assembly system shown in Fig. 3.Lpc bus bridge 321 comprises the internal bridge unit 401 that is couple to NC I/O link 225 and is couple to internal bus 421.Lpc bus bridge 321 also comprises the SKINIT wave filter 405 that is couple to internal bridge unit 401 and is couple to SKINIT source detecting device 450.Lpc bus bridge 321 also comprises address mapper 411, and this address mapper 411 is coupled to address smoothing device 410, and this address smoothing device 410 further is coupled to SKINIT wave filter 405.Lpc bus bridge 321 also comprises steering logic 416, and this steering logic 416 couples with control configuration header standard register 415.Lpc bus bridge 321 also comprises the internal bus circulation translator unit 420 that is couple to internal bus 421.Lpc bus bridge 321 also comprises read buffers 425 and write buffer 430, and this read buffers 425 and write buffer 430 all are couple to internal bus 421.Lpc bus bridge 321 also comprises the Hash_x command translation device 455 that is coupled between SKINIT source detecting device 450 and the lpc bus circulation engine 435.Moreover lpc bus bridge 321 comprises the lpc bus driver 440 that is couple to lpc bus 335.
In illustrated embodiment, can use internal bus 421 to transmit the affairs of lpc bus bridge 321 inside.Can receive by internal bridge unit 401 based on NC I/O link 225 affairs that received, and translate to internal bus and circulate.In an embodiment, configurable internal bridge unit 401 is to receive HyperTransport in NC I/O link 225
TMInformation, and these information are translated into the pci bus circulation according to internal bus 421 is used in internal bus 421 and transmission information.For example, can send following for example Hash_Start, the Hash_End that illustrates in conjunction with the description of the 6th to 8 figure and the HyperTransport of Hash_Data information
TMInformation.
When internal bridge unit 401 received affairs from NC I/O link 225, SKINIT wave filter 405 was configurable to confirm the SKINIT affairs.If these affairs are the SKINIT affairs, then these SKINIT affairs will be transferred to SKINIT source detecting device 450.Address mapper 411 can be gone into corresponding lpc bus 335 addresses with the address mapping that receives, and is as follows.Address smoothing device 410 can receive corresponding to HyperTransport
TMThe PCI affairs of information and if the address of these affairs is in 256 byte safety start address scope districts of SSP 130 then can provide the signal in the scope to SKINIT source detecting device 450 by address smoothing device 410.Following illustrates further, the message address that address smoothing device 410 can use configuration header standard register 415 relatively to enter.In an embodiment, during activation system, can be by the content of the basic address register (not icon) of SSP 130 and with 415 sequencing of configuration header standard register.The basic input/output of available support (basicinput/output system, BIOS) and finish this sequencing.
In an embodiment, can will confirm and write the memory mapping that reflects the I/O affairs by the address mapper 411 of lpc bus bridge 321 and go into 4K byte fixed address scope on the lpc bus 335:
FED0_0000h-FED0_0003h Hash_End
FED0_0004h-FED0_0007h Hash_Data
FED0_0008h-FED0_000Bh Hash_Start
FED0_000Ch-FED0_00FFh keeps
FED0_0100h-FED0_0103h device _ ID-person of selling _ ID register
FED0_0104h-FED0_0107h grade _ program code-revision _ ID register
FED0_0108h-FED0_010Bh subsystem _ ID-subsystem _ the person of selling _ ID register
FED0_010Ch-FED0_01FFh keeps
FED0_0200h-FED0_0FFFh SSP internal memory-the write I/O scope district of reflecting
FED0_1000h-FEDF_FFFh keeps
It should be noted that the affairs on lpc bus 335 are that byte reads and writes.Therefore, any Hash Data Dword affairs that received in NC I/O link 225 can be translated into corresponding byte affairs.
Configurable SKINIT source detecting device 450 is to judge the source of affairs.If SKINIT source detecting device 450 judges that the source of SKINIT affairs is not main bridge, then can interrupt or give up the SKINIT affairs.In an embodiment, can starter system to be reseted in response to the requirement that receives the SKINIT affairs, wherein main bridge is not only source.Yet, if SKINIT source detecting device 450 is when being judged that by signal in the scope source of SKINIT affairs is the main bridge of SEM processor 100A, with the address of affairs be in the initial scope of safety district the time, then allow by Hash_x command translation device 455 the SKINIT affairs are translated order, and reflection is gone into related LPC address into LPC.Lpc bus circulation engine 435 can produce suitable lpc bus circulation then.440 of lpc bus drivers can produce suitable signal and arrive lpc bus 335 to transfer to SSP 130 to drive bus cycle.
Read buffers 425 and write buffer 430 can be to be configured to storage to be associated with each internal bus round-robin memory of data.When transmission transaction on internal bus 421, whether these affairs of internal bus circulation code translator 420 decidables are for reading circulation or writing circulation.When producing the lpc bus circulation time, be associated with any data of this round-robin and can be stored on the suitable impact damper and be used by lpc bus circulation engine 435.
Because lpc bus 335 is non-isarithmic bus, lpc bus bridge 321 is provided for the configuration header of SSP 130, and whether this SSP 130 may be dependent on SSP 130 and exist, and is already present and addressable in software.In an embodiment, configuration header standard register 415 can with Standard PC I configuration header compatibility.During activation system, BIOS can check the SSP 130 that exists on lpc bus 335.If detect SSP 130, then BIOS can set and be arranged in steering logic 416, but these steering logic 416 activations will be looked the standard register of the configuration header 415 of seeing and visiting by software.Or desirable and generation be when beginning, to install and when reading SSP 130, can weld hard lead jumper connection in the appropriate location by steering logic 416.Otherwise,, then can hide configuration header by steering logic 416 and can't help software with its standard register 415 and look and see if SSP do not exist.In addition, SSP 130 can comprise that one group write reflect in the read-only register of fixed L PC bus address.BIOS can read these registers and will be worth the counter register that loads configuration header standard register 415.In an embodiment, following SSP read-only register can be write the LPC address of reflecting in fixing:
The address working storage
FED0_0100 position [31:16]=device ID position [the 15:0]=person of selling ID
FED0_0104 position [31:8]=grade program code position [7:0]=revision ID
FED0_0108 position [31:16]=subsystem ID position [the 15:0]=subsystem person of selling ID
In an embodiment, lpc bus bridge 321 also can comprise the interrupt mechanism that is used for SSP 130.LPC bridge 321 can be provided for writing of SSP interruption through the configuration header interrupt registers in the configuration header standard register 415 and reflect.In an embodiment, lpc bus bridge 321 fixedly writing of interrupting of SSP reflects, and this is write to reflect report to configuration header.Or desirable and generation be that BIOS can plan the configuration header register.
Therefore, by above-mentioned explanation, lpc bus bridge 321 can allow to visit the safe start address scope district to SSP 130, during the safety of tool SEM ability processor 100 is initial, this visit is sent from the main bridge of tool SEM ability processor 100, and intercepts other for example visit of point-to-point visit.
Though above-mentioned combination embodiment that Fig. 4 describes illustrated lpc bus bridge 321 and is comprised and be associated with the functional of particular block, but it should be noted only purpose of employed particular block, and other embodiment can consider to comprise other the square that is configured to implement identity function in order to discuss.
Now with reference to Fig. 5, shown the calcspar of another embodiment of bridge unit of Fig. 3.Purpose for clarity and conciseness, these assemblies among Fig. 2 to Fig. 3 shown in the correspondence are to be marked with identical element numbers.Pci bus bridge 422 comprises the internal bridged unit 501 that is couple to NC I/O link 225 and is couple to internal bus 521.Pci bus bridge 422 also comprises the SKINIT wave filter 505 that is couple to internal bridge unit 501 and is couple to SKINIT source detecting device 550.Pci bus bridge 422 also comprises the address mapper 511 that is couple to address smoothing device 510, this address smoothing device 510 then further is couple to SKINIT wave filter 505 and is couple to basic address register (base address rigster, BAR) hides register 515.Pci bus bridge 422 also comprises the internal bus circulation code translator 520 that is couple to internal bus 521.Pci bus bridge 422 also comprises read buffers 525 and write buffer 530, and this read buffers 525 and write buffer 530 all are couple to internal bus 521.Pci bus bridge 422 also comprises the Hash_x command translation device 555 that is coupled to 535 in SKINIT source detecting device 550 and pci bus circulation engine.Moreover pci bus bridge 422 comprises the pci bus driver 540 that is coupled to pci bus 545.
In an embodiment, between system's active period, the content of the basic address register of available SSP 130 (not icon) and plan that BAR hides register 515.This plans the support of available BIOS and finishes.Configuration BAR hides the BAR of register 515 with coupling SSP 130.Steering logic 516 keeps the BAR of SSP 130 and the alignment that BAR hides 515 in register.In an embodiment, in order to keep alignment, steering logic 516 definables are used for the special-purpose initiating means of SSP 130 and select (dedicated initialization device select, IDSEL).But SSP 130 actual installation or be welded on the motherboard.Configurable motherboard is with wiring SSP 130 and defining in advance and special-purpose IDSEL from the pci bus bridge 422 at I/O interface 520.For 40 secure address being videoed into 32 bit address space of the correspondence of pci bus 545, to write fashionablely when counting takes place, configurable address mapper 511 is with notice steering logic 516.Steering logic 516 can disturb (snarf) to write at the counting of the BAR of SSP 130, and the counting that will cause interference is written into and will writes part and hide register 515 to replace writing to BAR.Disturb (snarfing) to relate to and monitor bus or the interface that is used for particular transaction, and if this affairs are then removed or tackled to the coupling of discovery.
In an embodiment, SL confirms and internal memory writes that to reflect the I/O affairs be by video address realm on pci bus 545 of the address mapper of pci bus bridge 422, and is as follows:
XXXX?XXX0h-XXXX?XXX3h Hash_End
XXXX?XXX4h-XXXX?XXX7h Hash_Data
XXXX?XXX8h-XXXX?XXXBh Hasn_Start
XXXX XXXCh-XXXX X1FFh keeps
XXXX X200h-XXXX XFFFh SSP internal memory-write and reflect I/O scope district
In illustrated embodiment, can use internal bus 521 to be transmitted in the affairs of the inside in the pci bus bridge 422.Can be received in the affairs that received in the NC I/O link 225 by internal bridge unit 501, and these affairs are translated to internal bus circulate.In an embodiment, configurable internal bridge unit 501 is to receive HyperTransport in NC I/O link 225
TMInformation, and translate these information and enter pci bus circulation and be used to be transmitted in internal bus 521.For example, can send for example HyperTransport of Hash_Start, Hash_End and Hash_Data information
TMInformation is done detailed explanation below with reference to the description of the 6th to 8 figure.
Configurable SKINIT source detecting device 550 is to judge the source of affairs.If SKINIT source detecting device 550 judges that the source of SKINIT affairs is not main bridge, then can interrupt or give up the SKINIT affairs.In an embodiment, can starter system to be reseted in response to the requirement that receives the SKINIT affairs, wherein main bridge is not to be only source.In an alternate embodiment, pci bus bridge 422 can intercept follow-up promise to the attempt of sending and visit to the main bridge (master) in the safe start address scope district of SSP 130.
Yet, signal is judged in by scope, if SKINIT source detecting device 550 judges that the source of SKINIT affairs is main bridges of SEM processor 100A, and the address of affairs is in the initial scope of safety district, then can allow the SKINIT affairs to translate by Hash_x command translation device 555, and this pci command is videoed into related PCI address into pci command.Pci bus circulation engine 535 can produce suitable substance P CI bus cycle then.Pci bus driver 540 can produce suitable signal and arrives pci bus 545 and be used to transfer to SSP130 to drive bus cycle then.
Read buffers 525 and write buffer 530 can be storeies, and configuration is used for storing and is associated with each internal bus round-robin data.When affairs were transmitted on the internal bus 521, whether internal bus circulation code translator 520 decidable affairs were for reading circulation or writing circulation.When producing the pci bus circulation time, can will be associated with by pci bus circulates engine 535 any data storage of round-robin in suitable impact damper so that use.
Therefore, as mentioned above, pci bus bridge 422 can allow the safe start address scope district of visit data to SSP 130, this visit data is during the safety of tool SEM ability processor 100 is initial, send from the main bridge of tool SEM ability processor 100, and intercept the visit of other for example point-to-point (peer-to-peer) visit.
Though above-mentioned the embodiment of illustrated pci bus bridge 422 comprises and is associated with the functional of particular block in conjunction with the description of Fig. 5, but it should be noted that employed particular block only is used to the purpose of discussing, and consider that other embodiment can comprise other square that is configured to implement identity function.
Use HyperTransport
TMThe safety kernel of affairs is initial
As mentioned above, depend on for example HyperTransport of NC I/O link 225
TMBut link and upstream transmission or downstream transmission packet.And the packet of some can have specific destination, and other packet can be broadcast to all devices.Fig. 6 to Fig. 8 shows and HyperTransport
TMThe example SKINIT Transaction Information bag of specification compatibility.Fig. 6 shows example Hash_Start packet, and Fig. 7 shows that example Hash_End packet and Fig. 8 show example Hash_Data packet.About link configuration and transmission signal and various HyperTransport
TMThe more details of data packet format can be consulted by HyperTransport
TMThe HyperTransport that technology coalition of companies is published
TMThe latest revision of I/O link specification.
Now with reference to Fig. 6, shown the graphic depiction of an embodiment of Hash_Start packet.Hash_Start packet 600 comprises a plurality of fields of being made up of 0 to 7 position (or a byte).In addition, packet comprises 0 to 7 bit time, is 8 byte data bags therefore.The form of Hash_Start packet 600 is confirmed its employed broadcast message of main bridge of generally serving as reasons, to communicate by letter with all downstream units.During bit time 0, use position 0 to 5 pattern, and be denoted as CMD[5:0 with coded command], and use the position 2 and 3 of position 6 to 7 with coded sequence ID, and be denoted as Seq ID[3:2].In illustrated embodiment, coding CMD[5:0] be 111010b, this coding 111010b indication non-indicating (non-posted), size write (sized-write), double-word group (double word), tautochronism (isochronous), irrelevant packet.During bit time, use position 0 to 4 with the unit ID of main bridge (00000b) that encodes, and be denoted as UnitID[4:0].Use position 5 to 6,, and be denoted as SeqID[1:0] with the position 0 and 1 of coded sequence ID.Position 7 is to indicate the transmission (pass) that writes the position, and is denoted as PassPW.In this embodiment, the PassPW position is fixed to the 0b value.During bit time 2, keep all positions.During bit time 3, keep position 0 to 1.Use position 2 to 7,, and they are denoted as Addr[7:2] with position, coded address 2 to 7.These positions be free (don ' t care).During bit time 4, use position 0 to 7 with position, coded address 8 to 15, and they are denoted as Addr[15:8].These positions are free position.During bit time 5, use position 0 to 1 with position, coded address 16 and 17, and they are denoted as Addr[17:16].These positions are free position.Use position 2 to 7 with position, coded address 18 to 23, and they are denoted as Addr[23:18].Encode these with address value 001010b.During bit time 6, use position 0 to 7 with position, coded address 24 to 31, and they are denoted as Addr[31:24].Encode these with address value F9h.During bit time 7, use position 0 to 7 with position, coded address 32 to 39, and they are denoted as Addr[39:32].Encode these with address value FDh.These addresses are corresponding to the SKINIT address space of the above reservation of describing described SSP130 in conjunction with Fig. 2 to Fig. 5.
Now with reference to Fig. 7, show the icon of an embodiment of Hash_End packet.Similar in appearance to the Hash_Start packet 600 of Fig. 6, Hash_End packet 700 comprises by 0 to 7 position, or a plurality of fields that byte is formed.In addition, packet comprises 0 to 7 bit time and is 8 byte data bags therefore.The form of Hash_End packet 700 is confirmed its employed broadcast message of main bridge of generally serving as reasons, to communicate by letter with all downstream units.During bit time 0, use position 0 to 5 pattern, and be denoted as CMD[5:0 with coded command], and use the position 2 and 3 of position 6 to 7 with coded sequence ID, and be denoted as Seq ID[3:2].In illustrated embodiment, coding CMD[5:0] be 111010b, this coding 111010b indicates and non-ly to indicate, size writes, double-word group, irrelevant packet.During bit time 1, use position 0 to 4 with the unit ID of main bridge (00000b) that encodes, and be denoted as UnitID[4:0].Use position 5 to 6,, and be denoted as SeqID[1:0] with the position 0 and 1 of coded sequence ID.Position 7 is to indicate the transmission that writes the position, and is denoted as PassPW.In this embodiment, the PassPW position is fixed to the 0b value.During bit time 2, keep all positions.During bit time 3, keep position 0 to 1.Use position 2 to 7,, and they are denoted as Addr[7:2] with position, coded address 2 to 7.Encode these positions to address value 00000b.During bit time 4, use position 0 to 7 with position, coded address 8 to 15, and they are denoted as Addr[15:8].Encode these positions to address value 00000b.During bit time 5, use position 0 to 7 with position, coded address 16 to 23, and they are denoted as Addr[23:16].Encode with address value 28h in these positions.During bit time 6, use position 0 to 7 with position, coded address 24 to 31, and they are denoted as Addr[31:24].Encode these with address value F9h.During bit time 7, use position 0 to 7 with position, coded address 32 to 39, and they are denoted as Addr[39:32].Encode these with address value FDh.These addresses are corresponding to the SKINIT address space of the above reservation of describing described SSP 130 in conjunction with Fig. 2 to Fig. 5.
Now with reference to Fig. 8, shown the icon of an embodiment of Hash_Data packet.Hash_Start packet 800 comprises a plurality of fields of being made up of 0 to 7 position (or a byte).In addition, packet comprises 0 to 7 bit time, is 8 byte data bags therefore.The form of Hash_Data packet 800 confirms as size and writes request data package.During bit time 0, use position 0 to 5 pattern, and be denoted as CMD[5:0 with coded command], and use the position 2 and 3 of position 6 to 7 with coded sequence ID, and be denoted as Seq ID[3:2].In illustrated embodiment, coding CMD[5:0] be 0011x0b, the non-size of indicating, have the double-word group data of this coding 0011x0b indication writes, incoherent packet.During bit time 1, use position 0 to 4 with the unit ID of main bridge (00000b) that encodes, and be denoted as UnitID[4:0].Use position 5 to 6,, and be denoted as SeqID[1:0] with the position 0 and 1 of coded sequence ID.Position 7 is to indicate the transmission that writes the position, and is denoted as PassPW.In this embodiment, the PassPW position is fixed to the 0b value.During bit time 2, use position 0 to 4 with coding origin marking value, and be denoted as SrcTag[4:0].Use position 5 is as compatible position and secure it to the 0b value.Use the position 0 and 1 of position 6 to 7, and be denoted as Mask/Count[1:0] with coded data shielding or data counts value.With these positions of 0xb value coding, this 0xb value is indicated can send the single Dword of Hash_Data as each affairs, and can use byte (Byte) or Dword pattern wherein.For example, equal the Dword pattern of 0000b (1Dword) and equal the byte mode of 0001b (2Dword, data, a shielding) for count value, and shielding Dword equals 000Fh for count value.During bit time 3, position 0 to 1 is used for the position 2 and 3 of coded data shielding or data counts value, and is denoted as Mask/Count[3:2].Use position 2 to 7 with position, coded address 2 to 7, and they are denoted as Addr[7:2].These address values with 000001b are encoded.During interdigit 44, use position 0 to 7 with position, coded address 8 and 15, and they are denoted as Addr[15:8].Use address value 00h to encode these.During bit time 5, use position 0 to 7 with position, coded address 16 to 23, and they are denoted as Addr[23:16].Use address value 28h to encode these.During bit time 6, use position 0 to 7 with position, coded address 24 to 31, and they are denoted as Addr[31:24].Use address value F9h to encode these.During bit time 7, use position 0 to 7 with position, coded address 32 to 39, and they are denoted as Addr[39:32].Use address value FDh to encode these.These addresses are corresponding to the SKINIT address space of the above reservation of describing described SSP130 in conjunction with Fig. 2 to Fig. 5.
Though the various embodiments described above are given detailed consideration and are described, in case after for being familiar with this operator, understanding above-mentioned explanation, do many variations and modification after can understanding the above embodiments.Following claim will desire to be interpreted as comprising all these variations and modification.
The industry practicality
The present invention is generally used for computer system.
Claims (8)
1. one kind is used for the bus bridge (121,211,321) that bridge joint has affairs between if secure execution ability processor (100A-B) and security services processor (130), and this bus bridge comprises:
Affairs source detecting device (450) is configured to implement as the initial affairs of the safety of safe initial order execution result and be configured to supply to judge whether this has if secure execution ability processor is the source of the initial affairs of this safety for receiving;
Configuration header (415) is configured to provide the storage with this security services processor relevant information;
Steering logic (416) is coupled to this configuration header, and is configured to for judging whether this security services processor is coupled to non-isarithmic peripheral bus (135,335); And
Be couple to the command translation device (455) of this affairs source detecting device, this command translation device also is configured to the initial affairs of this safety are translated into and is applicable to and depends on the affairs that this non-isarithmic peripheral bus transfers to this security services processor, judges that to respond this affairs source detecting device this has the source of if secure execution ability processor for the initial affairs of this safety.
2. bus bridge as claimed in claim 1, wherein, this steering logic makes that this row arrangement header is addressable during further disposing and being formed in activation sequence, judges that with response this security services processor system is coupled to this non-isarithmic peripheral bus.
3. bus bridge as claimed in claim 1 further comprises affairs wave filter (405) for being couple to this affairs source detecting device, and is configured to judge whether the affairs of reception are to implement as the initial affairs of the safety of safe initial order execution result.
4. bus bridge as claimed in claim 3, wherein, this affairs filter configuration becomes and should the initial affairs of safety transfer to this affairs source detecting device, judges that with response these reception affairs serve as to implement as the initial affairs of the safety of safe initial order execution result.
5. bus bridge as claimed in claim 1 comprises that further bridge unit (401) couples with from HyperTransport
TMCertainly this has if secure execution ability processor reception HyperTransport in link (401)
TMAffairs, and be configured to intercept point-to-point visit to this security services processor, with in response to receiving after the beginning affairs and receiving before these termination affairs, this address smoothing device (410) judges that these given reception affairs comprise the secure address space of address corresponding to related this security services processor.
6. a computer system (20) comprising:
Processor is configured to by carrying out safe initial order initial if secure execution and is configured to operate in this if secure execution by carrying out the secure operating system program code segments; And
Any described bus bridge is coupled to this processor and is coupled to security services processor by non-count enable peripheral bus by the I/O link in the claim as described above.
7. one kind is used for the bus bridge (121,221,421) that bridge joint has affairs between if secure execution ability processor (100A-B) and security services processor (130), and this bus bridge comprises:
Affairs source detecting devices (510) are configured to receive enforcement as the initial affairs of the safety of the execution result of safe initial order, and are configured to judge whether this has if secure execution ability processor is the source of the initial affairs of this safety;
The count information that basis address hiding register (515) is configured to provide relevant with this security services processor is stored;
Steering logic (516) is coupled to this basis address hiding register, and is configured to intercept the affairs that comprise at the count information of this security services processor, and is configured to cause the counting affairs at this basis address hiding register; And
Command translation device (555) is coupled to this affairs source detecting device, and being configured to translate the initial affairs of this safety becomes to be suitable for and depends on the affairs that parallel multitask address and data peripheral bus (545) are delivered to this security services processor, judges that to respond this affairs source detecting device this has the source of if secure execution ability processor for the initial affairs of this safety.
8. bus bridge as claimed in claim 7 comprises that further bridge unit (501) couples with from HyperTransport
TMCertainly this has if secure execution ability processor reception HyperTransport in link (401)
TMAffairs, and be configured to intercept point-to-point visit to this security services processor, with in response to receiving after the beginning affairs and receiving before these termination affairs, this address smoothing device (510) judges that these given reception affairs comprise the secure address space of address corresponding to related this security services processor.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US10/429,132 | 2003-05-02 | ||
| US10/429,132 US7334123B2 (en) | 2003-05-02 | 2003-05-02 | Computer system including a bus bridge for connection to a security services processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1781069A CN1781069A (en) | 2006-05-31 |
| CN100524154C true CN100524154C (en) | 2009-08-05 |
Family
ID=33434832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004800117221A Expired - Fee Related CN100524154C (en) | 2003-05-02 | 2004-01-09 | A computer system including a bus bridge for connection to a security services processor |
Country Status (7)
| Country | Link |
|---|---|
| US (1) | US7334123B2 (en) |
| EP (1) | EP1623291A1 (en) |
| JP (1) | JP4514060B2 (en) |
| KR (1) | KR100987507B1 (en) |
| CN (1) | CN100524154C (en) |
| TW (1) | TWI342495B (en) |
| WO (1) | WO2004099954A1 (en) |
Families Citing this family (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI234708B (en) * | 2003-06-11 | 2005-06-21 | Via Tech Inc | Management unit and method of flash memory device |
| US7464266B2 (en) * | 2004-02-13 | 2008-12-09 | Microsoft Corporation | Cheap signatures for synchronous broadcast communication |
| US8332653B2 (en) * | 2004-10-22 | 2012-12-11 | Broadcom Corporation | Secure processing environment |
| EP1659474A1 (en) * | 2004-11-15 | 2006-05-24 | Thomson Licensing | Method and USB flash drive for protecting private content stored in the USB flash drive |
| JP2006203564A (en) * | 2005-01-20 | 2006-08-03 | Nara Institute Of Science & Technology | Microprocessor, node terminal, computer system and program execution certification method |
| CN101316516B (en) * | 2005-09-03 | 2012-05-30 | 拜奥科特企业有限公司 | Antiseptic solution and correlation technique thereof |
| US7779275B2 (en) * | 2005-11-23 | 2010-08-17 | Microsoft Corporation | Communication of information via an in-band channel using a trusted configuration space |
| KR20080067774A (en) * | 2007-01-17 | 2008-07-22 | 삼성전자주식회사 | Method and system device for protecting security domain from unauthorized memory access |
| US8321651B2 (en) | 2008-04-02 | 2012-11-27 | Qualcomm Incorporated | System and method for memory allocation in embedded or wireless communication systems |
| US8819839B2 (en) | 2008-05-24 | 2014-08-26 | Via Technologies, Inc. | Microprocessor having a secure execution mode with provisions for monitoring, indicating, and managing security levels |
| US8978132B2 (en) | 2008-05-24 | 2015-03-10 | Via Technologies, Inc. | Apparatus and method for managing a microprocessor providing for a secure execution mode |
| US20100013839A1 (en) * | 2008-07-21 | 2010-01-21 | Rawson Andrew R | Integrated GPU, NIC and Compression Hardware for Hosted Graphics |
| US8296482B2 (en) * | 2010-06-27 | 2012-10-23 | Intel Corporation | Translating requests between full speed bus and slower speed device wherein the translation logic is based on snoop result and modified cache state |
| US9047264B2 (en) * | 2011-04-11 | 2015-06-02 | Ineda Systems Pvt. Ltd. | Low pin count controller |
| WO2013078085A1 (en) * | 2011-11-22 | 2013-05-30 | Mips Technologies, Inc. | Processor with kernel mode access to user space virtual addresses |
| FR2989800B1 (en) * | 2012-04-18 | 2014-11-21 | Schneider Electric Ind Sas | SYSTEM FOR MANAGING SECURE AND UNSECURED APPLICATIONS ON THE SAME MICROCONTROLLER |
| US9043632B2 (en) | 2012-09-25 | 2015-05-26 | Apple Inc. | Security enclave processor power control |
| US8832465B2 (en) | 2012-09-25 | 2014-09-09 | Apple Inc. | Security enclave processor for a system on a chip |
| US9047471B2 (en) | 2012-09-25 | 2015-06-02 | Apple Inc. | Security enclave processor boot control |
| US8873747B2 (en) | 2012-09-25 | 2014-10-28 | Apple Inc. | Key management using security enclave processor |
| US8775757B2 (en) | 2012-09-25 | 2014-07-08 | Apple Inc. | Trust zone support in system on a chip having security enclave processor |
| US9323706B2 (en) * | 2013-02-26 | 2016-04-26 | Red Hat Israel, Ltd. | Configuration snooping bridge |
| US20150058926A1 (en) * | 2013-08-23 | 2015-02-26 | International Business Machines Corporation | Shared Page Access Control Among Cloud Objects In A Distributed Cloud Environment |
| US9547778B1 (en) | 2014-09-26 | 2017-01-17 | Apple Inc. | Secure public key acceleration |
| US20160179662A1 (en) * | 2014-12-23 | 2016-06-23 | David Pardo Keppel | Instruction and logic for page table walk change-bits |
| US10635827B2 (en) * | 2016-11-18 | 2020-04-28 | Raptor Engineering, LLC | Systems and methods for secure isolation of legacy computer peripherals |
| US10417458B2 (en) * | 2017-02-24 | 2019-09-17 | Microsoft Technology Licensing, Llc | Securing an unprotected hardware bus |
| US10496853B2 (en) * | 2017-06-30 | 2019-12-03 | Phoenix Technologies Ltd. | Securing a host machine against direct memory access (DMA) attacks via expansion card slots |
| GB201806465D0 (en) | 2018-04-20 | 2018-06-06 | Nordic Semiconductor Asa | Memory-access controll |
| GB201810653D0 (en) | 2018-06-28 | 2018-08-15 | Nordic Semiconductor Asa | Secure peripheral interconnect |
| GB201810662D0 (en) | 2018-06-28 | 2018-08-15 | Nordic Semiconductor Asa | Peripheral Access On A Secure-Aware Bus System |
| GB201810659D0 (en) | 2018-06-28 | 2018-08-15 | Nordic Semiconductor Asa | Secure-Aware Bus System |
| US11741196B2 (en) | 2018-11-15 | 2023-08-29 | The Research Foundation For The State University Of New York | Detecting and preventing exploits of software vulnerability using instruction tags |
| CN111722581B (en) * | 2020-05-28 | 2021-10-22 | 国电南瑞科技股份有限公司 | Method for improving communication transmission and data processing efficiency of PLC and upper computer |
Family Cites Families (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5897656A (en) * | 1996-09-16 | 1999-04-27 | Corollary, Inc. | System and method for maintaining memory coherency in a computer system having multiple system buses |
| US6003135A (en) * | 1997-06-04 | 1999-12-14 | Spyrus, Inc. | Modular security device |
| US6092202A (en) * | 1998-05-22 | 2000-07-18 | N*Able Technologies, Inc. | Method and system for secure transactions in a computer system |
| US6775779B1 (en) * | 1999-04-06 | 2004-08-10 | Microsoft Corporation | Hierarchical trusted code for content protection in computers |
| JP2001175606A (en) | 1999-12-20 | 2001-06-29 | Sony Corp | Data processor, and data processing equipment and its method |
| US7194634B2 (en) * | 2000-03-31 | 2007-03-20 | Intel Corporation | Attestation key memory device and bus |
| US6507904B1 (en) * | 2000-03-31 | 2003-01-14 | Intel Corporation | Executing isolated mode instructions in a secure system running in privilege rings |
| US20030028781A1 (en) * | 2001-05-10 | 2003-02-06 | Strongin Geoffrey S. | Mechanism for closing back door access mechanisms in personal computer systems |
| US7149854B2 (en) * | 2001-05-10 | 2006-12-12 | Advanced Micro Devices, Inc. | External locking mechanism for personal computer memory locations |
| US7383584B2 (en) * | 2002-03-27 | 2008-06-03 | Advanced Micro Devices, Inc. | System and method for controlling device-to-device accesses within a computer system |
| US7069442B2 (en) * | 2002-03-29 | 2006-06-27 | Intel Corporation | System and method for execution of a secured environment initialization instruction |
| AU2003231070A1 (en) * | 2002-04-18 | 2003-11-03 | Advanced Micro Devices Inc. | A computer system including a secure execution mode - capable cpu and a security services processor connected via a secure communication path |
| US20030226014A1 (en) * | 2002-05-31 | 2003-12-04 | Schmidt Rodney W. | Trusted client utilizing security kernel under secure execution mode |
| US7451324B2 (en) * | 2002-05-31 | 2008-11-11 | Advanced Micro Devices, Inc. | Secure execution mode exceptions |
| DE10234992A1 (en) * | 2002-07-31 | 2004-02-19 | Advanced Micro Devices, Inc., Sunnyvale | Retry mechanism for blocking interfaces |
| US7322042B2 (en) * | 2003-02-07 | 2008-01-22 | Broadon Communications Corp. | Secure and backward-compatible processor and secure software execution thereon |
-
2003
- 2003-05-02 US US10/429,132 patent/US7334123B2/en not_active Expired - Fee Related
-
2004
- 2004-01-09 CN CNB2004800117221A patent/CN100524154C/en not_active Expired - Fee Related
- 2004-01-09 JP JP2006508588A patent/JP4514060B2/en not_active Expired - Fee Related
- 2004-01-09 EP EP04701219A patent/EP1623291A1/en not_active Withdrawn
- 2004-01-09 KR KR1020057020868A patent/KR100987507B1/en not_active IP Right Cessation
- 2004-01-09 WO PCT/US2004/000484 patent/WO2004099954A1/en active Search and Examination
- 2004-02-18 TW TW093103875A patent/TWI342495B/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| KR20060056891A (en) | 2006-05-25 |
| CN1781069A (en) | 2006-05-31 |
| JP4514060B2 (en) | 2010-07-28 |
| TW200424864A (en) | 2004-11-16 |
| WO2004099954A1 (en) | 2004-11-18 |
| KR100987507B1 (en) | 2010-10-13 |
| TWI342495B (en) | 2011-05-21 |
| EP1623291A1 (en) | 2006-02-08 |
| US7334123B2 (en) | 2008-02-19 |
| US20040250063A1 (en) | 2004-12-09 |
| JP2006525596A (en) | 2006-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100524154C (en) | A computer system including a bus bridge for connection to a security services processor | |
| JP4762494B2 (en) | Computer system including a CPU capable of executing a secure execution mode and a security service processor connected via a highly reliable (secure) communication path | |
| CN104221028B (en) | Method of secure management of a memory space for microcontroller | |
| CN100416501C (en) | A computer system employing a trusted execution environment including a memory controller configured to clear memory | |
| KR101010801B1 (en) | Method and apparatus for determining access permission | |
| US6941458B1 (en) | Managing a secure platform using a hierarchical executive architecture in isolated execution mode | |
| CN102486755B (en) | Memory protection unit and method for controlling access to memory device | |
| CN1285033C (en) | Initialization of a computer system including a secure execution mode-capable processor | |
| CN102782732A (en) | Protected mode for global platform compliant smart cards | |
| CN102906698A (en) | External boot device, external boot method, information processing device and network communication system | |
| CN112835846A (en) | System on chip | |
| CN112835845A (en) | Method for managing the debugging of a system-on-chip forming, for example, a microcontroller and corresponding system-on-chip | |
| CN112602086B (en) | Secure peripheral interconnect | |
| CN102985929A (en) | External boot device, external boot program, external boot method and network communication system | |
| CN116881987A (en) | Method and device for enabling PCIE equipment to pass through virtual machine and related equipment | |
| CN105474228B (en) | The automatic matching of I/O device and hardware security element | |
| WO2023287517A1 (en) | Error management in system on a chip with securely partitioned memory space | |
| CN115374041A (en) | Bus decoder | |
| CN115221086A (en) | Bus control system, method and electronic device | |
| CN114996719A (en) | Security analysis method for private data and financial private data of trusted processing unit | |
| CN111382107B (en) | Application processor, coprocessor and data processing equipment | |
| CN111382442B (en) | Application processor, coprocessor and data processing equipment | |
| US20240119139A1 (en) | Securing critical data in a storage device of a computer system | |
| CN111382111A (en) | Application processor, coprocessor and data processing equipment | |
| CN116167043A (en) | Management of memory firewalls in a system on chip |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: GLOBALFOUNDRIES SEMICONDUCTORS CO., LTD Free format text: FORMER OWNER: ADVANCED MICRO DEVICES CORPORATION Effective date: 20100721 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: CALIFORNIA STATE, THE USA TO: GRAND CAYMAN ISLAND, BRITISH CAYMAN ISLANDS |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100721 Address after: Grand Cayman, Cayman Islands Patentee after: Globalfoundries Semiconductor Inc. Address before: American California Patentee before: Advanced Micro Devices Inc. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090805 Termination date: 20170109 |